VYPR

CWE-400

Uncontrolled Resource Consumption

ClassDraftLikelihood: High

Description

The product does not properly control the allocation and maintenance of a limited resource.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-147 · CAPEC-227 · CAPEC-492

CVEs mapped to this weakness (1,853)

page 27 of 93
  • CVE-2018-15399MedOct 5, 2018
    risk 0.44cvss 6.8epss 0.02

    A vulnerability in the TCP syslog module of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to exhaust the 1550-byte buffers on an affected device, resulting in a denial of service…

  • CVE-2018-15396MedOct 5, 2018
    risk 0.44cvss 6.8epss 0.02

    A vulnerability in the Bulk Administration Tool (BAT) for Cisco Unity Connection could allow an authenticated, remote attacker to cause high disk utilization, resulting in a denial of service (DoS) condition. The vulnerability exists because the affected software does not…

  • CVE-2026-34277MedApr 21, 2026
    risk 0.43cvss 6.6epss 0.00

    Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Fluid Core). Supported versions that are affected are 8.61-8.62. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise…

  • CVE-2023-36799MedSep 12, 2023
    risk 0.43cvss 6.5epss 0.05

    .NET Core and Visual Studio Denial of Service Vulnerability

  • CVE-2022-24713HigMar 8, 2022
    risk 0.43cvss 7.5epss 0.14

    regex is an implementation of regular expressions for the Rust language. The regex crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (tunable) mitigations already provide…

  • CVE-2018-1157MedAug 23, 2018
    risk 0.43cvss 6.5epss 0.04

    Mikrotik RouterOS before 6.42.7 and 6.40.9 is vulnerable to a memory exhaustion vulnerability. An authenticated remote attacker can crash the HTTP server and in some circumstances reboot the system via a crafted HTTP POST request.

  • CVE-2018-15607MedAug 21, 2018
    risk 0.43cvss 6.5epss 0.05

    In ImageMagick 7.0.8-11 Q16, a tiny input file 0x50 0x36 0x36 0x36 0x36 0x4c 0x36 0x38 0x36 0x36 0x36 0x36 0x36 0x36 0x1f 0x35 0x50 0x00 can result in a hang of several minutes during which CPU and memory resources are consumed until ultimately an attempted large memory…

  • CVE-2012-0881HigOct 30, 2017
    risk 0.43cvss 7.5epss 0.17

    Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions.

  • CVE-2016-8734MedOct 16, 2017
    risk 0.43cvss 6.5epss 0.06

    Apache Subversion's mod_dontdothat module and HTTP clients 1.4.0 through 1.8.16, and 1.9.0 through 1.9.4 are vulnerable to a denial-of-service attack caused by exponential XML entity expansion. The attack can cause the targeted process to consume an excessive amount of CPU…

  • CVE-2016-5004MedJun 6, 2017
    risk 0.43cvss 6.5epss 0.06

    The Content-Encoding HTTP header feature in ws-xmlrpc 3.1.3 as used in Apache Archiva allows remote attackers to cause a denial of service (resource consumption) by decompressing a large file containing zeroes.

  • CVE-2016-4055MedJan 23, 2017
    risk 0.43cvss 6.5epss 0.10

    The duration function in the moment package before 2.11.2 for Node.js allows remote attackers to cause a denial of service (CPU consumption) via a long string, aka a "regular expression Denial of Service (ReDoS)."

  • CVE-2016-9310MedJan 13, 2017
    risk 0.43cvss 6.5epss 0.11

    The control mode (mode 6) functionality in ntpd in NTP before 4.2.8p9 allows remote attackers to set or unset traps via a crafted control mode packet.

  • CVE-2026-12151impJun 17, 2026
    risk 0.42cvss 7.5epss 0.01

    undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames

  • CVE-2026-12325MedJun 16, 2026
    risk 0.42cvss 6.5epss 0.00

    Denial-of-service in the Graphics: ImageLib component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.

  • CVE-2026-12319MedJun 16, 2026
    risk 0.42cvss 6.5epss 0.00

    Denial-of-service in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 152 and Thunderbird 152.

  • CVE-2026-39197MedJun 15, 2026
    risk 0.42cvss 6.5epss 0.00

    An issue in the /util/http/prelude.rs endpoint of Datadog, Inc Vector v0.54.0 allows attackers to cause a Denial of Service (DoS) via a crafted request or payload.

  • CVE-2026-5079HigJun 15, 2026
    risk 0.42cvss 7.5epss 0.00

    Impact: multer versions 1.0.0 through 2.1.1 and 3.0.0-alpha.1 are vulnerable to a Denial of Service via deeply nested field names in multipart form data. The append-field dependency parses bracket notation in field names with no limit on nesting depth, allowing an attacker to…

  • CVE-2026-44496HigJun 11, 2026
    risk 0.42cvss 7.5epss 0.01

    Axios is a promise based HTTP client for the browser and Node.js. Axios versions before 0.32.0 on the 0.x line and before 1.16.0 on the 1.x line build a regular expression from the configured XSRF cookie name without escaping regex metacharacters. In standard browser…

  • CVE-2026-5497HigJun 11, 2026
    risk 0.42cvss 7.5epss 0.01

    vLLM versions 0.8.0 and later are vulnerable to an Out-of-Memory (OOM) Denial of Service (DoS) attack due to unbounded frame count processing in the `VideoMediaIO.load_base64()` method. When processing `video/jpeg` data URLs, the method splits the base64 data string on commas to…

  • CVE-2026-46679HigJun 10, 2026
    risk 0.42cvss 7.5epss 0.00

    libp2p is a JavaScript Implementation of libp2p networking stack. Prior to version 15.0.23, three cooperating omissions in @libp2p/gossipsub allow an unauthenticated single peer to exhaust the Node.js heap of any gossipsub node with default options. This issue has been patched…